Government Not Required to Disclose if HealthCare.gov Is Hacked

23 Dec 2013

Shortly before the launch of HealthCare.gov, the Health and Human Services Department had the choice of compelling the federal government to disclose any security threats to the site. According to John Fund at the National Review, they declined, meaning there is no way to know whether the site has been attacked.

HealthCare.gov is a massive operation — containing more code than Facebook and Microsoft Windows combined — and extremely difficult to keep secure. Unlike the websites of private corporations, however, there is no law that compels the federal government to disclose when its site has been breached. There could have been such a policy, but when the HHS Department was approached about ensuring Americans that they would be notified if their information was compromised at a federal meeting, they simply did not implement the policy.

According to Fund, HHS reacted to the proposal by responding: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”

He goes on to explain that we have, however, uncovered a number of problems with the security of state health care exchange websites because the law requires some states to disclose breaches or other problems. “No such law exists for the federally run exchange,” he adds, making many suspect that the government is deliberately trying to hide the risks from Americans. One consultant tells Fund that the government is aggressively trying to be a closed book on the matter. “They do not want to inform affected citizens of compromised personal information,” he adds, and, as Fund explains, they have no legal responsibility to do so.

Fund compares the potential hacking of HealthCare.gov to the recent disclosure of a massive security breach at Target stores on Black Friday that exposed the credit card information of 40 million shoppers. That information, which many experts suspect is being sold on the black market, can fall into the hands of hackers looking to make a quick dollar off of these cards before banks rapidly start shutting them down at the first sign of strange activity. The potential for havoc on American checking accounts is massive.

However, the villains of the Target story (besides, of course, Target itself) are garden variety hackers and fraudsters on the internet whose main objective is to make money. With a federal website like HealthCare.gov, the stakes are much higher, and such a breach poses a national security threat to the nation as a whole. Those looking to hack into federal websites are not just common hackers, but organized hacking teams sponsored by rival nations like China and Iran.

Worse, it’s been a banner year for cyber attacks from such state entities. In February, news broke that a group of hackers attacking “dozens” of American corporations formerly thought to be private actors were actually a wing of China’s People’s Liberation Army. China, citing the fact that such attacks are “anonymous and transnational,” denied the New York Times-surfaced report. The Timesreported that the group had been stealing American government intellectual property for five years, and that it had resumed operations in May after a quiet period following the February revelations. It had good reason to report heavily on the story — the newspaper itself had been a target of such attacks at the beginning of the year.

China’s hackers have not stopped at trying to break through private corporate firewalls. By September, the Times reported that China has been staging an ongoing attack on U.S. defense contractors, attempting to unlock the secrets of American drone technology for its own use. China already has and often uses drones, but they are lagging in sophistication versus American models.

While the story of the cyberattack wing of China’s army trying to steal drone technology broke, the United States also reported cyberattacks from the rogue state of Iran. According to the Wall Street Journal, Iran targeted and successfully hacked into U.S. Navy computers, though fortunately they only found unclassified information in the computers attacked.

This is the hostile world in which the Obama administration launched the feebly protected HealthCare.gov. It is the world in which the government expects Americans to trust a shoddy federal website with their private information, which foreign enemies are salivating over the possibility of stealing. The potential for a Target-like hack that would result, at most, in millions of Americans having to cancel their credit cards and receive new ones is there; but, when a website asks for you for everything from your Social Security number to the name of your grandparents’ dog, the destructive potential is gigantic — potential the government should have seen coming a mile away.